linux

bybrooklyn/linux

Fork 0

mirror of https://github.com/torvalds/linux.git synced 2026-04-20 07:43:57 -04:00

Commit Graph

Author	SHA1	Message	Date
WangYuli	52e371914e	drm/ci: Upgrade setuptools requirement to 70.0.0 GitHub Dependabot has issued the following alert: "Upgrade setuptools to version 70.0.0 or later. A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. Severity: 8.8 / 10 (High) Attack vector: Network Attack complexity: Low Privileges required: None User interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High CVE ID: CVE-2024-6345" To avoid disturbing everyone with the kernel repo hosted on GitHub, I suggest we upgrade our python dependencies once again to appease GitHub Dependabot. Link: https://github.com/dependabot Signed-off-by: WangYuli <wangyuli@uniontech.com> Acked-by: Helen Koike <helen.koike@collabora.com> Signed-off-by: Helen Koike <helen.koike@collabora.com> Link: https://patchwork.freedesktop.org/patch/msgid/0237854884D6DB3C+20240716083743.33415-1-wangyuli@uniontech.com	2024-08-13 17:01:36 -03:00
Linus Torvalds	58c09cad17	drm/ci: make github dependabot happy again The drm CI scripts for gitlab have a requirements file that makes the github 'dependabot' worry about a few of the required tooling versions. It wants to update the pip requirements from 23.2.1 to 23.3: "When installing a package from a Mercurial VCS URL, e.g. pip install hg+..., with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone call (e.g. --config). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial" and upgrade the urllib3 requirements from 2.0.4 to 2.0.7 due to two issues: "urllib3's request body not stripped after redirect from 303 status changes request method to GET" "`Cookie` HTTP header isn't stripped on cross-origin redirects" The file also ends up not having a newline at the end, that my editor ends up wanting to fix automatically. Link: https://github.com/dependabot Tested-by: Helen Koike <helen.koike@collabora.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>	2023-11-13 08:52:24 -08:00
Helen Koike	d70896f296	drm/ci: add helper script update-xfails.py Add helper script that given a gitlab pipeline url, analyse which are the failures and flakes and update the xfails folder accordingly. Example: Trigger a pipeline in gitlab infrastructure, than re-try a few jobs more than once (so we can have data if failures are consistent across jobs with the same name or if they are flakes) and execute: update-xfails.py https://gitlab.freedesktop.org/helen.fornazier/linux/-/pipelines/970661 git diff should show you that it updated files in xfails folder. Signed-off-by: Helen Koike <helen.koike@collabora.com> Tested-by: Vignesh Raman <vignesh.raman@collabora.com> Reviewed-by: David Heidelberg <david.heidelberg@collabora.com> Link: https://lore.kernel.org/r/20231024004525.169002-4-helen.koike@collabora.com Signed-off-by: Maxime Ripard <mripard@kernel.org>	2023-10-26 15:24:20 +02:00

Author

SHA1

Message

Date

WangYuli

52e371914e

drm/ci: Upgrade setuptools requirement to 70.0.0

GitHub Dependabot has issued the following alert:

"Upgrade setuptools to version 70.0.0 or later.

 A vulnerability in the package_index module of pypa/setuptools
 versions up to 69.1.1 allows for remote code execution via its
 download functions. These functions, which are used to download
 packages from URLs provided by users or retrieved from package
 index servers, are susceptible to code injection. If these
 functions are exposed to user-controlled inputs, such as package
 URLs, they can execute arbitrary commands on the system. The
 issue is fixed in version 70.0.

 Severity: 8.8 / 10 (High)
 Attack vector:        Network
 Attack complexity:        Low
 Privileges required:     None
 User interaction:    Required
 Scope:              Unchanged
 Confidentiality:         High
 Integrity:               High
 Availability:            High
 CVE ID:         CVE-2024-6345"

To avoid disturbing everyone with the kernel repo hosted on GitHub,
I suggest we upgrade our python dependencies once again to appease
GitHub Dependabot.

Link: https://github.com/dependabot
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Acked-by: Helen Koike <helen.koike@collabora.com>
Signed-off-by: Helen Koike <helen.koike@collabora.com>
Link: https://patchwork.freedesktop.org/patch/msgid/0237854884D6DB3C+20240716083743.33415-1-wangyuli@uniontech.com

2024-08-13 17:01:36 -03:00

Linus Torvalds

58c09cad17

drm/ci: make github dependabot happy again

The drm CI scripts for gitlab have a requirements file that makes the
github 'dependabot' worry about a few of the required tooling versions.

It wants to update the pip requirements from 23.2.1 to 23.3:

 "When installing a package from a Mercurial VCS URL, e.g. pip install
  hg+..., with pip prior to v23.3, the specified Mercurial revision
  could be used to inject arbitrary configuration options to the hg
  clone call (e.g. --config). Controlling the Mercurial configuration
  can modify how and which repository is installed. This vulnerability
  does not affect users who aren't installing from Mercurial"

and upgrade the urllib3 requirements from 2.0.4 to 2.0.7 due to two
issues:

 "urllib3's request body not stripped after redirect from 303 status
  changes request method to GET"

 "`Cookie` HTTP header isn't stripped on cross-origin redirects"

The file also ends up not having a newline at the end, that my editor
ends up wanting to fix automatically.

Link: https://github.com/dependabot
Tested-by: Helen Koike <helen.koike@collabora.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

2023-11-13 08:52:24 -08:00

Helen Koike

d70896f296

drm/ci: add helper script update-xfails.py

Add helper script that given a gitlab pipeline url, analyse which are
the failures and flakes and update the xfails folder accordingly.

Example:
Trigger a pipeline in gitlab infrastructure, than re-try a few jobs more
than once (so we can have data if failures are consistent across jobs
with the same name or if they are flakes) and execute:

update-xfails.py https://gitlab.freedesktop.org/helen.fornazier/linux/-/pipelines/970661

git diff should show you that it updated files in xfails folder.

Signed-off-by: Helen Koike <helen.koike@collabora.com>
Tested-by: Vignesh Raman <vignesh.raman@collabora.com>
Reviewed-by: David Heidelberg <david.heidelberg@collabora.com>
Link: https://lore.kernel.org/r/20231024004525.169002-4-helen.koike@collabora.com
Signed-off-by: Maxime Ripard <mripard@kernel.org>

2023-10-26 15:24:20 +02:00

3 Commits